GzipLoader

CapLoader 1.9.6

CapLoader 1.9.6 Released

| | 104.21.7.13:80, 104.223.118.109:443, 104.248.81.48:443, 151.236.9.107:443, 159.89.124.188:443, a85be79f7b569f1df5e6087b69deb493, aptekoagraliy, BackConnect XOR, CapLoader, GzipLoader, IcedID, JA3, JA4, joekairbos, lazirusairnaf, Loda, regex, Remcos, seedkraproboy, t13i010400_0f2cb44170f4_1b583af8cc09, t13i010400_0f2cb44170f4_5c4c70b73fa0, ThreatFox, win.loda
CapLoader now detects even more malicious protocols and includes several new features such as JA4 fingerprints, API support for sharing IOCs to ThreatFox and OSINT lookups of malware families on Malpedia. The ...
NETRESEC Network Security Blog
Cookie parameters from GzipLoader request in NetworkMiner 2.8.1

Forensic Timeline of an IcedID Infection

| | BackConnect, Cobalt Strike, CobaltStrike, ec74a5c51106f0419184d0dd08fb05bc, GzipLoader, IcedID, JA3S, Keyhole, Keylog, NetworkMiner, VNC, Windows Sandbox
The BackConnect and VNC parsers that were added to NetworkMiner 2.8.1 provide a unique possibility to trace the steps of an attacker with help of captured network traffic from a hacked computer ...
NETRESEC Network Security Blog

How to Identify IcedID Network Traffic

| | a0e9f5d64349fb13191bc781f81f42e1, b523e3d33e7795de49268ce7744d7414aa37d1db, beacon, CapLoader, ec74a5c51106f0419184d0dd08fb05bc, GzipLoader, IcedID, Periodic connections, periodicity, video
Brad Duncan published IcedID (Bokbot) from fake Microsoft Teams page earlier this week. In this video I take a closer look at the PCAP file in that blog post. The video cannot ...
NETRESEC Network Security Blog